Overview of ACE Network Address Translation

You can configure the ACE to translate a client source IP address to a routable address in the server's network. This process is called source NAT (SNAT). If you want to preserve the client source IP address, do not configure SNAT.

You can also configure the ACE to translate the private address of a server to a global IP address that is accessible to clients. This process is called destination NAT (DNAT) and protects the server by hiding its real IP address from the Internet.

Besides translating IP addresses, you can configure the ACE to translate TCP and UDP ports. This process is called port address translation (PAT).

The ACE provides the following types of NAT and PAT:

Interface-based dynamic NAT

Interface-based dynamic PAT

Server farm-based dynamic NAT

Static NAT

Static port redirection

NAT Configuration Guidelines and Restrictions

When you configure NAT and PAT on your ACE, keep in mind the following NAT and PAT guidelines and restrictions:

If a packet egresses an interface that you have not configured for NAT, the ACE transmits the packet untranslated.

You can configure dynamic NAT or static NAT as an input service policy only; you cannot configure it as an output service policy.

When you remove a traffic policy from the last VLAN interface on which you applied the service policy, the ACE automatically resets the associated service-policy statistics. The ACE performs this action to provide a new starting point for the service-policy statistics the next time that you attach a traffic policy to a specific VLAN interface.

Configuring Dynamic NAT and PAT

Dynamic NAT is typically used for SNAT. When you configure dynamic NAT and PAT, be sure to configure an interface for the client-side VLAN and an interface for the server-side VLAN.

The following SNAT configuration example shows the commands that you use to configure dynamic NAT and PAT on your ACE. In this SNAT example, packets that ingress the ACE from the 192.168.12.0 network are translated to one of the IP addresses in the NAT pool defined on VLAN 200 by the nat-pool command. The pat keyword indicates that ports higher than 1024 are also translated.

Note:

If you are operating the ACE in one-arm mode, omit the client-side interface VLAN 100 and configure the service policy on interface VLAN 200.

Configuring Server-Farm Based Dynamic NAT

The following SNAT configuration example shows the commands that you use to configure server farm-based dynamic NAT on your ACE. In this SNAT example, real server addresses on the 172.27.16.0 network are translated to one of the IP addresses in the NAT pool defined on VLAN 200 by the nat-pool command.

Note:

If you are operating the ACE in one-arm mode, omit interface VLAN 100 and configure the service policy on interface VLAN 200.

Configuring Static NAT and Port Redirection

The following DNAT configuration example shows those sections of the running configuration that are related to the commands necessary to configure static NAT and port redirection on your ACE. Typically, this configuration is used for DNAT, where HTTP packets that are destined to 192.0.0.0/8 and ingress the ACE on VLAN 101 are translated to 10.0.0.0/8 and port 8080. In this example, the servers are hosting HTTP on custom port 8080.

Configuring SNAT with Cookie and Load Balancing

The following configuration example shows those commands necessary to configure SNAT (dynamic NAT) with cookie load balancing. Any source host that sends traffic to the VIP 20.11.0.100 is translated to one of the free addresses in the NAT pool in the range 30.11.100.1 to 30.11.200.1, inclusive. If you want to use PAT instead of NAT, replace nat dynamic 1 vlan 2021 with nat dynamic 2 vlan 2021 in the L7SLBCookie policy map.

2. Use the show xlate command to verify that dynamic NAT and PAT, and static NAT and port redirection, are taking place properly.

Dynamic NAT Example

The following example output of the show xlate command shows dynamic NAT (SNAT in this example). When you use Telnet from IP address 172.27.16.5 in VLAN 2020, the ACE translates it to IP address 192.168.100.1 in VLAN 2021.

src-natpolicy_id mapped_if -- Displays the specified source NAT policy information. To obtain the values for the policy_id and mapped_if arguments, view the policy_id and mapped_if fields displayed by the show nat-fabric policies command.

dst-natstatic_xlate_id -- Displays the static address translation for the specified static XLATE ID. To obtain the value for the static_xlate_id argument, view the static_xlate_id field displayed by the show nat-fabric policies command.